<html>
<head><meta charset="utf-8"><title>Statically-linked C/C++ libraries · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Statically-linked.20C.2FC.2B.2B.20libraries.html">Statically-linked C/C++ libraries</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="244976200"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Statically-linked%20C/C%2B%2B%20libraries/near/244976200" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> amousset <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Statically-linked.20C.2FC.2B.2B.20libraries.html#244976200">(Jul 05 2021 at 21:40)</a>:</h4>
<p>I started working a bit on the topic of statically linked C/C++ libraries (after enabling openssl static compilation in a Rust project and finding it both fantastically handy and dangerous from a traceability and security standpoint). I tried to document the current situation and the existing issues, along with a few improvement ideas, in <a href="https://amousset.github.io/source-crates/">https://amousset.github.io/source-crates/</a> Any opinion about this? What would be the best way to make progress on this topic?</p>



<a name="244979437"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Statically-linked%20C/C%2B%2B%20libraries/near/244979437" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Statically-linked.20C.2FC.2B.2B.20libraries.html#244979437">(Jul 05 2021 at 22:43)</a>:</h4>
<p>Addressing statically linked libraries <em>and</em> an experimental mod to <code>cargo supply-chain</code>? I need to read this! <br>
Ping me here if I don't reply by tomorrow.</p>



<a name="245039060"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Statically-linked%20C/C%2B%2B%20libraries/near/245039060" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Statically-linked.20C.2FC.2B.2B.20libraries.html#245039060">(Jul 06 2021 at 13:34)</a>:</h4>
<p><span class="user-mention" data-user-id="409696">@amousset</span> I agree with pretty much everything! That sounds like something I would have done, and I mean that in the best possible way. I believe the problem is real and what you propose is a reasonable solution.<br>
I'm not entirely sold on having the license and upstream repo metadata in a third-party repository. I'd rather have it right in the -src crate. I wonder if we can (ab)use the existing Cargo.toml format for that? After all, it is needed for an upload to <a href="http://crates.io">crates.io</a> regardless, and e.g. <a href="https://github.com/alexcrichton/openssl-src-rs/blob/master/Cargo.toml">openssl-src ships it</a>.</p>



<a name="245039859"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Statically-linked%20C/C%2B%2B%20libraries/near/245039859" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Statically-linked.20C.2FC.2B.2B.20libraries.html#245039859">(Jul 06 2021 at 13:41)</a>:</h4>
<p>I'm also not convinced that submodules are a good idea. There are a lot of pitfalls around them; for one, a repo with submodules is no longer defined by its commit hash, which makes reproducibility a lot harder.<br>
Also, it turns out that C/C++ projects often have different contents in git compared to release tarballs, and require different procedures to build from git vs release tarballs.</p>



<a name="245040500"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Statically-linked%20C/C%2B%2B%20libraries/near/245040500" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Statically-linked.20C.2FC.2B.2B.20libraries.html#245040500">(Jul 06 2021 at 13:47)</a>:</h4>
<p>I strongly support the <code>-src</code> crate convention, for all the reasons you've listed. Automatic detection of CVEs sounds great, and relatively easy to implement.</p>



<a name="245040503"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Statically-linked%20C/C%2B%2B%20libraries/near/245040503" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Statically-linked.20C.2FC.2B.2B.20libraries.html#245040503">(Jul 06 2021 at 13:47)</a>:</h4>
<p>Another thing I've lamented is how much e.g. curl versions lag behind upstream, even in case of critical security fixes. We could build automated infrastructure for updating library versions: new release tarballs could be pulled automatically, and with a bit of work even published automatically:  we could run <code>crater</code> on the dependencies of the crate before and after the update, if all tests pass then publish it without requiring manual review. I believe <span class="user-mention" data-user-id="229913">@HeroicKatora</span> has been working on a "crater for your dependencies" kind of tool</p>



<a name="245041518"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Statically-linked%20C/C%2B%2B%20libraries/near/245041518" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Statically-linked.20C.2FC.2B.2B.20libraries.html#245041518">(Jul 06 2021 at 13:54)</a>:</h4>
<p>Hmm, how should the version synchronization between <code>-sys</code> and <code>-src</code> crates be handled? Is there a way to specify "I want <code>-src</code> version X" even though you don't depend on it directly? If not, should <code>-sys</code> and <code>src</code> crates be published together and always have the same version to allow selecting a specific version of <code>-src</code> crate?</p>



<a name="245042199"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Statically-linked%20C/C%2B%2B%20libraries/near/245042199" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Statically-linked.20C.2FC.2B.2B.20libraries.html#245042199">(Jul 06 2021 at 13:59)</a>:</h4>
<p><span class="user-mention" data-user-id="409696">@amousset</span> I believe the best way to make progress on this is get a project group going. You can find out more about those <a href="https://rust-lang.github.io/rfcs/2856-project-groups.html">here</a><br>
The goals would be something along the lines of creating guidelines for handling externally imported code and developing the supporting tooling (automatic import of new releases, automatic import of CVEs to RustSec, etc)<br>
Or, in terms of problems rather than solutions - make it easier to import C/C++ code in a secure and reliable manner and keep it up-to-date</p>



<a name="245042458"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Statically-linked%20C/C%2B%2B%20libraries/near/245042458" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Statically-linked.20C.2FC.2B.2B.20libraries.html#245042458">(Jul 06 2021 at 14:01)</a>:</h4>
<p>I would be happy to act as the liason for RustSec and cargo-supply-chain, but my availability during the rest of the summer may be spotty.</p>



<a name="245063320"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Statically-linked%20C/C%2B%2B%20libraries/near/245063320" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Statically-linked.20C.2FC.2B.2B.20libraries.html#245063320">(Jul 06 2021 at 16:21)</a>:</h4>
<p>Oh, putting the upstream version in build metadata (i.e. after <code>+</code>) is not a great idea because according to the <a href="https://semver.org/#spec-item-11">semver spec</a> there is no defined ordering for versions that only differ by build metadata. Meaning it might not be possible to match on <em>some build versions but not others,</em> which would be necessary for RustSec. But that's details.</p>



<a name="245068613"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Statically-linked%20C/C%2B%2B%20libraries/near/245068613" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> amousset <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Statically-linked.20C.2FC.2B.2B.20libraries.html#245068613">(Jul 06 2021 at 17:03)</a>:</h4>
<p>Thanks a lot for your detailed feedback!  I definitely agree that the information about the upstream software should ideally live in Cargo.toml, it was mainly to be able to see how tooling could be improved in the meantime.<br>
For the submodules the drawbacks you mention are indeed a problem, and using tarballs could be better, even if it requires a bit more work from the maintainer, it will be a topic to discuss.<br>
About <code>-sys</code> vs. <code>-src</code> versioning, the problem is that the version of the <code>-src</code> crate must reflect both upstream semantic and changes that may happen in the build scripts/cargo config. It seems that for now only the latest upstream version is available and maintained in most <code>-src</code> crates, avoiding the problem.</p>



<a name="245069091"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Statically-linked%20C/C%2B%2B%20libraries/near/245069091" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> amousset <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Statically-linked.20C.2FC.2B.2B.20libraries.html#245069091">(Jul 06 2021 at 17:07)</a>:</h4>
<p>About the usage of the build metadata and the lack of ordering, it is a good point, and existing <code>-src</code> crates seem to always bump the main version in addition to update the build version (so it is mostly used as documentation and not for actual use in RustSec or other tooling)</p>



<a name="245081501"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Statically-linked%20C/C%2B%2B%20libraries/near/245081501" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> amousset <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Statically-linked.20C.2FC.2B.2B.20libraries.html#245081501">(Jul 06 2021 at 18:41)</a>:</h4>
<p>I'll look into the idea of a project group, thanks for the suggestion.</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>